{ config, lib, pkgs, ... }:
let
  cfg = config.sbruder.mailserver;
in
{
  options.sbruder.mailserver.dkim = {
    enable = (lib.mkEnableOption "DKIM signing") // { default = true; };
    selector = lib.mkOption {
      type = lib.types.str;
      description = "DKIM Selector to use";
      default = "mail";
    };
  };

  config = lib.mkIf (cfg.enable && cfg.dkim.enable) {
    services.opendkim = {
      enable = true;
      selector = cfg.dkim.selector;
      domains = "csl:${lib.concatStringsSep "," cfg.domains}";
      configFile = pkgs.writeText "opendkim.conf" ''
        UMask 0002
      '';
    };
    systemd.services.opendkim = {
      # changed to use larger key size
      preStart =
        let
          inherit (config.services.opendkim) keyPath selector;
        in
        lib.mkForce ''
          cd "${keyPath}"
          if ! test -f ${selector}.private; then
            ${pkgs.opendkim}/bin/opendkim-genkey \
              -s ${selector} \
              -d all-domains-generic-key \
              -b 4096
            echo "Generated OpenDKIM key! Please update your DNS settings:\n"
            echo "-------------------------------------------------------------"
            cat ${selector}.txt
            echo "-------------------------------------------------------------"
          fi
        '';
    };

    users.users.postfix.extraGroups = lib.mkIf cfg.dkim.enable (lib.singleton config.users.users.opendkim.group);

    services.postfix.config = {
      smtpd_milters = lib.singleton "unix:/run/opendkim/opendkim.sock";
      non_smtpd_milters = lib.singleton "unix:/run/opendkim/opendkim.sock";
    };
  };
}